Australia's Biggest Breach Offender: Healthcare Sector

With Australia's data breach reporting law now in full effect, figures published for the second quarter of this year reveal that the country's healthcare sector is the worst breach offender. The finding is sure to intensify the already intense scrutiny facing the country's controversial e-health records project.

The country's data breach regulator, the Office of the Australian Information Commissioner, released the data breach statistics that it collected, covering breach reports that it received from April through June. It is the first full reporting period since Australia's mandatory breach notification law came into effect on Feb. 22.

The OAIC's second-quarter 2018 report on data breaches.

The OAIC says it received 49 notifications from healthcare providers. Of those, 41 incidents involved fewer than 1,000 people; five incidents involved between 1,001 and 5,000 people; two involved between 5,001 and 10,000 people; and one incident involved between 10,001 and 25,000 people.

The financial industry had the second greatest number of notifications at 36, followed by the legal, accounting and management services sector at 20, the education sector at 19 and business and professional associations at 15.

The OAIC does not identify the organizations that reported a breach. Organizations that are required to report a breach within 30 days to the regulator include most government agencies plus businesses and nonprofits with an annual turnover (revenue) of AU$3 million (US$2.2 million) or more. The requirement also applies to credit agencies, private health service providers and entities that record tax file numbers, or TFNs.

Biggest Problem: Human Error

Some 59 percent of the healthcare breaches were attributable to human error, the OAIC says, while the remaining 41 percent were due to malicious or criminal attacks.

Human error is a catch-all term for a range of mistakes, such as failing to use bcc - blind courtesy copy - emails and instead exposing the email recipient list to all. Other common errors: sending data by email to the wrong person, losing or improperly disposing of storage devices and unintentionally exposing sensitive information.

Of the 20 incidents that resulting from criminal or malicious activity, nine were due to theft of paper or of a data storage device, three were due to rogue or malicious employees and eight were classified as "cyber incidents."

The cyber incidents included two cases of malware, two cases involving compromised or stolen credentials, two cases of phishing attacks that captured credentials, plus one ransomware attack and one brute-force attack.

The OAIC breakdown of cyber incidents that affected the healthcare industry between April and June.

E-Health Records

Although the healthcare sector has the most reported breaches, the figures exclude incidents involving the My Health Record system.

Parliament passed the My Health Records Act in 2012. The law authorizes the creation of digital health records for patients that can be used by providers. The government contends that patient outcomes can be improved with better information sharing via My Health Record.

Security incidents involving My Health Record, however, fall under specific notification requirements in the law and not the mandatory breach notification scheme.

In its early days, the My Health Record program saw slow uptake among clinicians and the general public, which had to opt-in to the program. So the government changed its strategy, making it an opt-out program.

Health Minister Greg Hunt

That change rankled privacy activists and raised security concerns in an era of seemingly nonstop data breaches. As many as 13,000 healthcare providers will have access to the database.

But on Tuesday, the government announced some changes in light of the ongoing criticism of the project and its implementation. Health Minister Greg Hunt announced plans to tweak the law so that no government agency would be able to access a record without a court order. That move would resolve ongoing ambiguity and concern over who exactly can access any individual's health information.

Also, Hunt says the government would allow people to permanently delete their record from the system at any time. Under the original plan, those who had activated their record could cancel it, but data would be retained for 30 years after a person's death or 130 years after someone's birth.

Weak Point: The Humans

The OAIC's breach report highlights where security improvements need to be made.

Of the 242 total notifications received in the second quarter, 59 percent were due to malicious or criminal attacks, followed by human error at 36 percent and system faults accounting for 5 percent.

Of the malicious or criminal attacks, the OAIC says "many cyber incidents in this quarter appear to have exploited vulnerabilities involving a human factor (such as clicking on a phishing email or disclosing passwords)."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.